October 17, 2014 at 5:49 am #8745
I was curious how infosec teams at other hosting companies handle the security questionnaires from potential customers. With a steady amount of questionnaires coming in, I see the infosec team spending massive amounts of man hours trying to fill these out and get them back to the customer in a decent time as to not impact the sale. I’m wondering if other companies have found a good way to handle these (or a good portion of them) by having the sales folks check a QA database before handing them off to the security team, or simply respond with the companies compliance certifications, or…something else?
November 5, 2014 at 5:23 pm #53949
Not surprised there aren’t any comments here. The less sexy side of security 😛
Anybody who sees this thread able to recommend another way (Twitter, another forum, upcoming related webcast, etc) to ask this question so that it can reach the proper audience?
November 5, 2014 at 10:04 pm #53950m0wgliParticipant
I’ve given the link to this question to someone I follow on Twitter who works as a Hosting And Security Consultant.
Hopefully, they’ll provide you with an answer or at least direct you elsewhere.
November 5, 2014 at 10:32 pm #53951
Thanks m0wgli, much appreciated!
I sat in on 451 Research and Veracode’s webinar today on “Strategies for Third-Party Software Security that Actually Work” and got some tips on this.
– Have a database of canned responses to commonly asked questions. Helps speed up filling out questionnaires.
– Have a secure portal for customers where you store security information. Certification and compliancy info, application/network scan results, etc. This location in the portal can be shared with customers when they’re onboarded.
November 6, 2014 at 8:02 am #53952RoleReversalParticipant
Hi lorddicranius (and thanks to Mowgli for the prod),
You’re not alone these are/were the bane of my life whilst working in DCs.
I think the QA database and portal are the ideal process, but in practice real world application doesn’t deliver on the promise (in my experience). Especially if you’re handing the process of to a sales or other employee who couldn’t complete the questionnaire in the first instance, the answers database may not help them unless the questions in questionnaire and your FAQ are exact, or very close matches. Or worst case scenario, the sales guy misinterprets the content and you either end up having to rapidly backtrack with the (potential) client and explain why the original answer is incorrect (and why despite that they should still use your services), or the error gets missed entirely and you end up contracted to something that you don’t (or can’t) deliver.
Probably best left developing the silo for some quick cut&paste turnaround, but keep as a tool for someone who at least understands the content at a high level.
Unfortunately (and I’ll gladly take suggestions if anyone can help prove me wrong), the best/quickest way to complete the flood of questionnaires is simply to have a knowledgeable security body complete the questionnaires. It’s not fun (at all) but over time you do get quicker and more accomplished, reducing the pain needed.
Long term, we’ve found that having equal or higher compliance certifications yourselves to that requested of the client can reduce your burden, if the assessment of your own facility and services becomes a quick review that your certs are correctly scoped to client requirements and valid. You still need to go through the pain and cost of the audit process, but this is reduced to once for yourself, not multiplied by every client that needs answers to the same questions.
Sorry for not being able to point you to the holy-grail of checkbox-checking prowess, but that’s been my experience from the same position.
It’s not necessarily all doom and gloom though (especially if anyone reading this is looking for a foot in the door to step into a security role): NO ONE likes completing these audits, if you show the slightest interest and capability you WILL get given the task, giving you a chance to gain experience, and proven capability to perform, within the infosec side of a business. Or on the flipside; if you have an eager young PFY eager to prove themselves…… At the very least that’s how I gained the opportunity to move out of the hosting team (started at bottom rung as an intern/work placement during uni) and ‘graduate’ to the security team proper (though I’m still stuck completing audit questionnaires for my old Hosting team, I missed a trick there somewhere……
Hope this is of some help, at the very least may provoke a flood of people to suggest I’m completely wrong and get you some actual usable advice from those with better answers 😉
November 7, 2014 at 1:56 pm #53953
Thanks for sharing your thoughts and experiences, RoleReversal! Very much appreciated. And thanks m0wgli for pinging him on Twitter 🙂
It’s definitely good hearing the experiences of other shops. This isn’t something new for us, but has definitely ramped up in the last year and the amount of time some of our security engineers are putting in to fill these out has been crazy. But like you said, the more they run through these, the faster they are getting at filling them out.
You must be logged in to reply to this topic.